What is Malware?
Malware is an abbreviated form of “malicious software”. The word malicious means “having or showing a desire to cause harm to someone”. The word malware is a common term used to describe a virus, worm, trojan, or any other harmful program. This means that all viruses are malware and malware is a superset referring to any software/code that may/can cause harm to your computer.
Programs are also considered malware if they secretly act against the interests of the computer user. For example, at one point Sony music Compact discs silently installed a rootkit on purchasers’ computers with the intention of preventing illicit copying, but which also reported on users’ listening habits, and unintentionally created extra security vulnerabilities.
Who Creates Malware and Why?
Malware is created by a wide range of people such as vandals, swindlers, blackmailers, and other criminals. The main motive behind creating malware is to make money, but the other reasons may range from pranks to espionage and other serious crimes.
If you’re mystified as to why someone would want to put so much effort into attacking your computer or your mobile devices, you have to think of the type of people that create malware.
As the use of computers, mobile devices, and the Internet has grown, many people have the opportunities to benefit by creating this harmful computer malware. In the past, many of these malware creators were just pranksters trying to alleviate boredom and make a name for themselves.
While this is still true for some, but most of the malware is created for the following three main reasons:
- To make money: The malware is designed to capture information about the computer user and send it to the person or company responsible for making the malware. The information they collect is then used to target advertisements to your computer. These ads come in the form of e-mails and pop-ups on your computer. If enough computers get infected, they can earn money from all these ads displayed.
- To steal account information: The malware is also used in tricking a victim into providing personal data for identity theft which in turn is used to gain access to the victim’s crucial accounts like bank accounts.
- To cause problems and troubles for others: Some people create malware just because they enjoy causing trouble, making others suffer. Some malware can crash an entire network system and cause system outages for large companies, like banks or production companies.
Malware creation really flourishes in regions where cybercrime laws are not enforced and there are few opportunities for technically skilled people.
Classification of Malware
The classification of malware is based on the following ways:
- Delivery method: The malware is classified based on its delivery method or attack methodology. These include drive-by downloads that distribute malware simply by visiting a website, phishing emails that trick victims into divulging data, man-in-the-middle attacks that take over control of a computer, or cross-site scripting where an attacker injects malicious code into the content of a website.
- Vulnerability type: The specific type of vulnerability that the malware exploits. Examples include SQL Injection used by attackers to gain access to or modify data, and domain spoofing where bad actors seduce web visitors to click on links to their ads or websites by making them look like other legitimate sites.
- The objective of the malware: For instance, Ransomware has a purely financial goal, whereas Spyware is out to capture confidential or sensitive information, and Keyloggers capture usernames and passwords.
- Target device: By the platform or device that the malware targets, such as mobile malware, or attacks that target a specific operating system.
- The approach of malware: The malware’s approach to stealth, or how it attempts to hide. Rootkits that typically replace legitimate operating system components with malicious versions are an example.
- Malware behaviour and characteristics: Specific behaviours and characteristics – like how the malware replicates and spreads, or other attributes that distinguish it from other forms of malware. This is the most common method of classifying malware.
Types of Malware
Based on the above-mentioned characteristics, malware can be classified as:
A computer virus, is like a flu virus that is designed to spread from host to host and has the ability to replicate itself. Similarly, in the same way that flu viruses cannot reproduce without a host cell, computer viruses cannot reproduce and spread without programming such as a file or document.
A computer virus is a type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another.
A virus operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code. In the process, a virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.
A worm is a form of malware that operates as a self-contained application and can transfer and copy itself from computer to computer.
It’s this ability to operate autonomously, without the need for a host file or to hijack code on the host computer, that distinguishes worms from other forms of malware. Worms often use parts of an operating system that are automatic and invisible to the user.
They generally target pre-existing vulnerabilities in the operating system of the computers they attempt to infect. Many of the most widespread and destructive forms of malware have been worms.
In computing, a Trojan horse (or simply trojan) is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else.
Trojans may allow an attacker to access users’ personal information such as banking information, passwords, or personal identity. It can also delete a user’s files or infect other devices connected to the network.
Unlike computer viruses, worms, and rogue security software, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.
Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.
This class of malware is a criminal money making scheme that can be installed through deceptive links in an email message, instant message, or website. It has the ability to lock a computer screen or encrypt important predetermined files with a password.
5. Fileless Malware
Fileless malware is a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact i.e., in RAM.
It does not write any part of its activity to the computers’ hard drive meaning that it’s very resistant to existing anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern -analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.
A malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.
Adware tracks a user’s surfing activity to determine which ads to serve them. Although adware is similar to spyware, it does not install any software on a user’s computer, nor does it capture keystrokes.
The danger in adware is the erosion of a user’s privacy. — it captures the data about the user’s activity elsewhere on the internet and uses it to create a profile of that person which includes who their friends are, what they’ve purchased, where they’ve traveled, and more. That information can be shared or sold to advertisers without the user’s consent.
Spyware is a broad category of malware designed to secretly observe activity on a device and send those observations to a snooper. That data can be used to track your activity online and that information can be sold to marketers.
Spyware can also be used to steal personal information, such as account passwords and credit card numbers, which can result in identity theft and fraud.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
The term rootkit is a compound of “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.
Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of a direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like “phishing”).
Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.
Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keystroke loggers record the information you type into a website or application and send it back to a third party.
Criminals use keyloggers to steal information or financial information such as banking details, which they can then sell or use for profit. Law enforcement and intelligence agencies also use keylogging for surveillance purposes.
A bot is a computer that has been compromised through a malware infection and can be remotely controlled by a cybercriminal. A botnet is a short form of “robot network”. The cybercriminal can then use the bot (also known as a zombie computer) to launch more attacks or to bring it into a collection of controlled computers, known as botnets.
These bots were originally designed to run as a user in the various chat rooms. They could proctor a room, booting out people who used foul language, or involved in other such activities.
The two main reasons why cybercriminals create botnets are for financial gains and/or for recognition.
Grayware, also referred to as spyware, is any files or applications that can be detrimental to a computer’s performance and/or compromise its security. This can include keystroke loggers that can steal sensitive information for nefarious purposes.
Oftentimes, grayware is included as part of legitimate software installation packages and activated when the files are installed and the program is activated. The End User License Agreement (EULA) often has terms in it that explain how one’s data will be used, but most people don’t read it because of the length and legal technicality of EULAs.
Other grayware programs include programs that decipher passwords, hack computers to gain entry, remotely access computers to control them, change Internet settings to call pre-configured phone numbers with high charge rates, and adware.
Malvertising (malicious advertising) is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
Online advertisements provide a solid platform for spreading malware because the significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into a high-profile and reputable website, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, or the like.
Malvertising is attractive to attackers because it can be easily spread across a large number of legitimate websites without directly compromising those websites.
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g., a home router), or its embodiment (e.g., part of a cryptosystem, algorithm chipset, etc.).
Backdoors are most often used for securing remote access to a computer or obtaining access to plain text in cryptographic systems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within auto schematic networks.
A backdoor may take the form of a hidden part of a program, a separate program code in the firmware of the hardware, or parts of an operating system such as Windows.
Although some are secretly installed, other backdoors are deliberate and widely known. These kinds of backdoors have “legitimate” uses such as providing the manufacturer with a way to restore passwords.
14. Browser Hijacker
It is a form of unwanted software that modifies a web browser’s settings without a user’s permission, to inject unwanted advertising into the user’s browser. A browser hijacker may replace the existing home page, error page, or search engine with its own.
These are generally used to force hits to a particular website, increasing advertising revenue.
Some browser hijackers also contain spyware, for example, some install a software keylogger to gather information such as banking and e-mail authentication details. Some browser hijackers can also damage the registry on Windows systems, often permanently.
There are several methods that browser hijackers use to gain entry to an operating system. Email attachments and files downloaded through suspicious websites and torrents are common tactics that browser hijackers use.
Crimeware is a class of malware designed specifically to automate cybercrime.
Crimeware (as distinct from spyware and adware) is designed to perpetrate identity theft through social engineering or technical stealth in order to access a computer user’s financial and retail accounts for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the cyberthief.
Alternatively, crimeware may steal confidential or sensitive corporate information. Crimeware represents a growing problem in network security as many malicious code threats seek to pilfer confidential information.
16. RAM Scraper
A malicious program that scans the RAM of infected devices (usually POS terminals) to steal confidential data. Most often, memory scrapers are on the prowl for bank card numbers and PIN codes. Only cards with magnetic strips are vulnerable. EMV chips are protected from this type of attack.
17. Rogue Security Software
Rogue security software is a form of malware that’s designed to trick victims into thinking their computer or device has been infected with a virus. Like legitimate antivirus products, it displays pop-up messages telling the victim that her or his computer or device has been infected with a virus. With rogue security software, however, there is no virus present.
If your computer or device is infected with rogue security software, it could cost you a substantial amount of money — assuming you fall for the trap. Rogue security software typically doesn’t steal data. Instead, it’s designed to trick you into paying for a fake removal service. After displaying a fake virus message, the software will contain instructions on how to clean your computer or device. Normally, the rogue security software will ask you to pay for a premium virus removal service or tool.
Like with ransomware, though, there’s no guarantee that paying the requested sum of money will remove the rogue security software. After making payment, the rogue security software may ask you to pay for an additional service or tool.
Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution.
19. Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.
Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fools’ Day. Trojans and other computer viruses that activate on certain dates are often called “time bombs”.
To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
20. Hybrids and Exotic Forms
Apart from these, nowadays hybrids and exotic forms which are a combination of two or more of the above also exist.
How Malware Spreads?
There are six common ways that malware spreads:
- Vulnerabilities: A security defect in software allows the malware to exploit it to gain unauthorized access to the computer, hardware, or network.
- Backdoors: An intended or unintended in software, hardware, networks, or system security.
- Drive-by Downloads: Unintended download of software with or without knowledge of the end-user.
- Homogeneity: If all systems are running the same operating system and connected to the same network, the risk of a successful worm spreading to other computers increases.
- Privilege Escalation: A situation where an attacker gets escalated access to a computer or network and then uses it to mount an attack.
- Blended Threats: Malware packages that combine characteristics from multiple types of malware making them harder to detect and stop because they can exploit different vulnerabilities.
Image Credit: Computer vector created by vectorjuice – www.freepik.com